Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
15
Helpful
7
Replies

ISP and ASA Desgine issue

opnineopnine
Level 1
Level 1

‎11-26-2014 03:40 PM - edited ‎03-11-2019 10:08 PM

Hi all,

 

I have my asa connected to my ISP my actual range is a ./29 i need to add more IPs a new ./29, but the ISP can't give me a consecutive IP range. And the issue is I don't have any free port working with.

 

What can the best option be ?

 

thanks !

Labels:
0 Helpful
7 Replies 7

Srinath R
Level 1
Level 1

‎11-26-2014 06:44 PM

Hi,

 

Could you please describe what you are trying to achieve with the second block of IPs?

I am guessing these new public IPs are for NAT to internal/DMZ servers. Is that correct?

If it's just NAT, then you do not need another interface on the ASA or consecutive IP range. You can create NAT statements on the ASA (similar to those for existing IP block) and ask your ISP to route traffic for that new /29 block to the ASA's outside interface IP.

If your ASA is on 8.4.4 or later code, then you might need the 'arp permit non-connected' command since the ASA does not have an IP from the second block on any interface.

 

Regards,

Srinath

opnineopnine
Level 1
Level 1
In response to Srinath R

‎11-27-2014 06:28 AM

Hello Srinath,

 

Yes the new /29block is for DMZ,  I its not a bad Idea, after adding the NAT I would have also have to make all the routing inside my ASA, one issue i have is that ASA is and 8.2 version.

 

Thanks!

0 Helpful

Srinath R
Level 1
Level 1
In response to opnineopnine

‎11-27-2014 06:02 PM

Hi,

 

This should be achievable in 8.2 code. Here is an example.

Lets say 10.0.0.1 and 0.2 are IPs from your old IP block. The new IP block contains IPs 10.0.1.1 and 1.2. You can create NAT like such:

 

static (dmz,outside) 10.0.0.1 192.168.0.1 netmask 255.255.255.255
static (dmz,outside) 10.0.0.2 192.168.0.2 netmask 255.255.255.255

static (dmz,outside) 10.0.1.1 192.168.0.3 netmask 255.255.255.255
static (dmz,outside) 10.0.1.2 192.168.0.4 netmask 255.255.255.255

 

Considering for this example your outside interface has an IP of 10.0.0.5, the ISP needs a route for the new IP block similar to this:

route 10.0.1.0 <subnet mask> next-hop 10.0.0.5

Once the packets arrive on the ASA, the NAT should kick in. Even if the ISP were to ARP for the 10.0.1.0 subnet, the ASA should respond back because in 8.2 code, that was the ASA's default behavior.

 

Regards,

Srinath

opnineopnine
Level 1
Level 1
In response to Srinath R

‎12-02-2014 10:57 AM

Hi all,

 

After all the work the customer will migrate to the new IP range, I have only one more question, I have to replace the global (outside) 1 x.x.x.x commando for the new ip address what can the impact be on the configuration if I do this?

thanks all!

0 Helpful

johnlloyd_13
Level 9
Level 9

‎11-27-2014 03:13 AM

Hi,

Try to get an Internet edge router and ASA behind it. The new IP range would have its LAN gateway IP set as secondary IP address on the router.

This way you could do both NAT on ASA and assign host with a public IP.

opnineopnine
Level 1
Level 1
In response to johnlloyd_13

‎11-27-2014 05:24 AM

Hello johnlloyd_13

 

I was thinking to put a 2800 in front of the ASA, make the 2800 be the device that will get the vpn and offcourse the ASA will have all the ACL.

I think is what you are stating, write?

 

 

Thanks.

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to opnineopnine

‎11-27-2014 03:57 PM

hi,

nope, it would be just simply a gateway router. a /30 on its WAN and 2x /29s on the LAN.

the VPN, NAT and ACL stuff will be on the ASA.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card